The audit service is regulated by the following parameters:
Classes of attributable and non-attributable events
Audit policy
Audit plugins
Queue controls
To display the audit service defaults, you typically use auditconfig -get* subcommand. This subcommand displays the current configuration of the parameter that is represented by the asterisk (*), such as –getflags –getpolicy, or –getqctrl. To display information about classes for non-attributable events, use the auditconfig -getnaflags subcommand.
For more information about the auditconfig command, see the auditconfig (1M) man page.
The following examples show the appropriate command syntax to use to display the default audit configuration settings.
Example 3-1 Displaying Default Class for EventsIn this example, two subcommands are used to display the preselected classes for attributable and non-attributable events respectively. To see which events are assigned to a class, and therefore which events are being recorded, run the auditrecord -c class command.
# auditconfig -getflags active user default audit flags = lo(0x1000,0x1000) configured user default audit flags = lo(0x1000,0x1000)
lo is the flag for the login/logout audit class. The format of the mask output is (success,failure).
# auditconfig -getnaflags active non-attributable audit flags = lo(0x1000,0x1000) configured non-attributable audit flags = lo(0x1000,0x1000)Example 3-2 Displaying the Default Audit Policy
$ auditconfig -getpolicy configured audit policies = cnt active audit policies = cnt
The active policy is the current policy, but the policy value is not being stored by the audit service. The configured policy is stored by the audit service, so the policy is restored when you restart the audit service.
Example 3-3 Displaying the Default Audit Plugins$ auditconfig -getplugin Plugin: audit_binfile Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1; Plugin: audit_syslog (inactive) Attributes: p_flags=; Plugin: audit_remote (inactive) Attributes: p_hosts=;p_retries=3;p_timeout=5;
The audit_binfile plugin is active by default.
Example 3-4 Displaying the Audit Queue Controls$ auditconfig -getqctrl no configured audit queue hiwater mark no configured audit queue lowater mark no configured audit queue buffer size no configured audit queue delay active audit queue hiwater mark (records) = 100 active audit queue lowater mark (records) = 10 active audit queue buffer size (bytes) = 8192 active audit queue delay (ticks) = 20
The active queue control is the queue control that is currently used by the kernel. The string no configured indicates that the system is using the default values.